Taegis™ NDR Detectors🔗
Note
Taegis NDR is an evolution of iSensor, but with a new name and soon with expanded capabilities. You may see some references to the iSensor branding as we complete this transition.
For more information on Taegis™ NDR, see Taegis™ NDR Overview.
Taegis™ NDR is a Network IDS/IPS solution that can be deployed as either a virtual or physical appliance within your network. It leverages Secureworks proprietary signatures to detect and prevent network-based threats in real-time. In addition, the NDR Device automatically downloads Secureworks curated Threat Indicators (IP addresses and Domains) to identify malicious connections as they occur on your network. NDR is a separately contracted feature that may be included with Secureworks® Taegis™ MDR.
The NDR Device also continuously collects network telemetry that may be used in the following detectors:
- Domain Generation Algorithms
- Rare Program to Rare IP
- Stolen Credentials
- Tactic Graphs™ Detector
- Punycode Detector
- IP Watchlist
- Domain Watchlist
Requirements🔗
This detector requires the following data sources, integrations, or schemas:
- NDR Device
- Detections, NIDS, Netflow
Inputs🔗
Detections are from the following normalized sources:
- Detections, NIDS, Netflow
Outputs🔗
Detections from this detector are pushed to the XDR Detection Database and Detection Triage Dashboard.
Configuration Options🔗
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category🔗
MITRE mapping is based on the detection signature. Check the detection for the specific mapping.
Detector Testing🔗
This detector does not have a supported testing method, though an Advanced Search will verify if detections originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any detections came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
FROM detection WHERE metadata.creator.detector.detector_id='app:event-filter:nids' AND sensor_types='ISENSOR'